1. Installation of Windows Server2003
1. There are 2 partitions at least, and the partition formats are all in NTFS format.
2. Install the 2003 system when the network is disconnected
3. Install IIS and install only the necessary IIS components. (Disable unwanted services such as FTP and SMTP)
By default, the IIS service is not installed. Select "Application Server" in Add/Remove Win Components, and then click "Details",
Double-click Internet Information Service (iis) and check the following options:
Internet Information Service Manager; Public Files; Backend Intelligent Transfer Service (BITS) Server Extension; World Wide Web Service.
If you use the Web site that is extended by FrontPage, then check: FrontPage 2002 Server Extensions
4. Install MSSQL and other required software and then update.
5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of the computer.
and identify missing patches and updates. Download address: See the link on page not
2. Set up and manage accounts
1. It is best to create less system administrator accounts, change the default administrator account name (Administrator) and description, and it is best to add the password using a number.
The upper key combination of upper case letters and numbers should be no less than 14 digits in length.
2. Create a new trap account called Administrator, set the minimum permissions for it, and then enter the combination at will not be less than 20 digits.
Password
3. Disable the Guest account and change the name and description, and then enter a complex password. Of course, there is also one now.
DelGuest tool, maybe you can also use it to delete Guest account, but I haven't tried it
4. Enter Enter while running, open the Group Policy Editor, and select Computer Configuration - Windows Settings - Security Settings - Account Policy
- Account locking policy, set the account to "Three login invalid", "Lock time is 0 minutes", and "Reset lock count is set to 30 minutes".
5. Set "Don't show last username" to enable in the Security Settings-Local Policies-Security Options
6. In the security settings-local policy-user rights allocation, only Internet guest accounts will be retained and IIS will be started.
Process account. If you use it, you must keep your Aspnet account.
7. Create a User account and run the system. If you want to run the privileged command, use the Runas command.
3. Network service security management
1. Prohibit default sharing of C$, D$, and ADMIN$.
Open the registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, on the right
Create a new Dword value in the window: set the name to AutoShareServer value to 0
2. Release the binding between NetBios and TCP/IP protocol.
Right-click the Internet Neighbor - Properties - Right-click the local connection - Properties - Double-click Internet Protocol - Advanced - Wins - Disable NETBIOS on TCP/IP
3. Turn off unnecessary services. The following are the recommended options.
Computer Browser: Maintain network computer updates, disable
Distributed File System: LAN management shared files, no need to disable
Distributed linktracking client: used to update connection information in LAN, does not need to be disabled
Error reporting service: Prohibit sending error reports
Microsoft Serch: Provides fast word search, which can be disabled without need.
NTLMSecuritysupportprovide: Used by telnet service and Microsoft Serch, do not need to be disabled
PrintSpooler: Can be disabled if there is no printer
Remote Registry: Prohibit remote modification of the registry
Remote Desktop Help Session Manager: Remote assistance is prohibited
4. Open the corresponding audit strategy
Enter Enter while running, open the Group Policy Editor, and select Computer Configuration - Windows Settings - Security Settings - Audit Policy
When creating an audit project, it is important to note that if there are too many audited projects, the more events will be generated, and the more difficult it is to discover serious events.
Of course, if too little review will also affect your discovery of serious incidents. You need to choose between the two based on the situation.
The recommended items to be reviewed are:
Login event Successful failure
Account login event Successful failure
System events success, failure
Policy change Successful Failure
Object access failed
Directory service access failed
Privileged use failed
5. Other safety-related settings
1. Hide important files/directories
The registry can be modified to achieve complete hiddenness: "HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\Current-Version\Explorer\Advanced\Folder\Hi-dden\SHOWALL", mouse
Right-click "CheckedValue", select Modify, and change the value from 1 to 0
2. Start the Internet connection firewall that comes with the system and check the Web server in the Settings Services option.
3. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named SynAttackProtect, with a value of 2
4. Disable response to ICMP routing notification messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\Interfaces\interface
Create a new DWORD value named PerformRouterDiscovery The value is 0
5. Prevent ICMP redirect packet attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the EnableICMPRedirects value to 0
6. IGMP protocol is not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named IGMPLevel, the value is 0
7. Disable DCOM:
Enter in running. Enter and click "Component Services" under "Console Root Node". Open the "Computer" subfolder.
For local computers, right-click My Computer and select Properties. Select the Default Properties tab.
Clear the “Enable distributed COM on this computer” check box.
8. Rename the cmd command in DllCache in the System32 folder, and then rename the cmd command in the System32 folder.
9、
Note: I use Server2000 settings for items 3-6, and I have not tested whether it works for 2003. But one thing is certain that I used it for a while
No other side effects were found during the time.
6. Configure IIS service:
1. Do not use the default web site. If you use it, separate the IIS directory from the system disk.
2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).
3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp,
MSADC。
4. Delete unnecessary IIS extension mappings.
Right-click "Default Web Site → Properties → Home Directory → Configuration" to open the application window and remove unnecessary application mappings. Mainly
is .shtml, .sshtm, .stm
5. Change the path of IIS log
Right-click "Default Web Site → Properties - Website - Click Properties under Enable Logging
6. If you are using 2000, you can use iislockdown to protect IIS. IE6.0 version running in 2003 is not required.
7. Use UrlScan
UrlScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version
It is 2.5. If it is 2000 Server, you need to install the 1.0 or 2.0 version first. See the link on page not available for download address
If there are no special requirements, use the default configuration of UrlScan.
But if you run the program on the server and want to debug, you need to open %WINDIR%\System32\Inetsrv\URLscan
Files in the folder, and then add DEBUG predicates in the UserAllowVerbs section, note that this section is case sensitive.
If your page is .asp page you need to delete .asp related content in DenyExtensions.
If your web page uses non-ASCII code, you need to set the AllowHighBitCharacters value to 1 in the Option section
After making changes to the file, you need to restart the IIS service to take effect. Enter iisreset in the quick method.
If you have any problems after configuration, you can delete UrlScan by adding/removing programs.
8. Use the WIS (Web Injection Scanner) tool to perform SQL Injection vulnerability scans on the entire website.
See the link on page not available for download address
7. Configure the Sql server
1. System Administrators should not have more than two roles.
2. If it is on this machine, it is best to configure the authentication as Win login.
3. Do not use a Sa account, configure a super complex password for it.
4. Delete the following extended stored procedures
The format is:
use master
sp_dropextendedproc 'Extended stored procedure name'
xp_cmdshell: It is the best shortcut to enter the operating system, delete
Access the stored procedure of the registry, delete
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues
Xp_regread Xp_regremovemultistring Xp_regwrite
OLE automatic stored procedure, no need to delete
Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
5. Change the name so that xp_cmdshell cannot be restored
6. Hide SQL Server and change the default port 1433
Right-click the instance to select properties of TCP/IP protocol in General - Network configuration. Select Hide SQL Server instance.
And change the original default port 1433.
8. If you only do servers and do not perform other operations, use IPSec
1. Management Tools - Local Security Policy - Right-click IP Security Policy - Manage IP Filter Table and Filter Operations - Click under the Management IP Filter Table option.
Add—Set the name as Web filter—Click Add—Enter the web server in the description—Set the source address to any IP address—Set the destination address
Set as my IP address - Protocol type is set to Tcp - IP protocol port The first item is set to from any port, and the second item is to this port 80 - Click
Complete - Click OK.
2. Click under the Management IP Filter Table option
Add—The name is set to all inbound filters—Click Add—Enter all inbound filters in the description—Set the source address to any IP address—Set the destination address
Set as My IP address - Protocol type to any - Click Next - Complete - Click OK.
3. Under the Management Filter Operation Options, click Add—Next—Enter Block—Next—Select Block—Next—
Complete - Close the Management IP Filter Table and Filter Operations Window
4. Right-click on the IP security policy - create the IP security policy - next step - name input packet filter - next step - cancel the default activation
Response Principle-Next Step-Complete
5. In the new IP security policy properties window that opens, select Add—Next step—Not specifying tunnel—Next step—All network connections—
Next step - Select the newly created web filter in the IP filter list - Next step - Select the permission in the filter operation - Next step -
Complete - Select the newly created block filter in the IP filter list - Next step - Select the block in the filter operation - Next step -
Complete - OK
6. Right-click the newly created packet filter in the right window of the IP security policy, click Assign. There is no need to restart, and IPSec can take effect.
9. Suggestions
If you follow this article, it is recommended to test the server for every change. If there is any problem, you can undo the change immediately. And if changed
Only when there are many items, it is difficult to determine where the problem lies.
10. Run the server to record the current program and open port.
1. Grab or record the current server's process and save it to facilitate future comparison to see if there are unknown programs.
2. Scratch or record the currently open port and save it to facilitate future comparison to see if unknown ports have been opened.
Of course, if you can distinguish each process, this step can be omitted from the port.
1. There are 2 partitions at least, and the partition formats are all in NTFS format.
2. Install the 2003 system when the network is disconnected
3. Install IIS and install only the necessary IIS components. (Disable unwanted services such as FTP and SMTP)
By default, the IIS service is not installed. Select "Application Server" in Add/Remove Win Components, and then click "Details",
Double-click Internet Information Service (iis) and check the following options:
Internet Information Service Manager; Public Files; Backend Intelligent Transfer Service (BITS) Server Extension; World Wide Web Service.
If you use the Web site that is extended by FrontPage, then check: FrontPage 2002 Server Extensions
4. Install MSSQL and other required software and then update.
5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of the computer.
and identify missing patches and updates. Download address: See the link on page not
2. Set up and manage accounts
1. It is best to create less system administrator accounts, change the default administrator account name (Administrator) and description, and it is best to add the password using a number.
The upper key combination of upper case letters and numbers should be no less than 14 digits in length.
2. Create a new trap account called Administrator, set the minimum permissions for it, and then enter the combination at will not be less than 20 digits.
Password
3. Disable the Guest account and change the name and description, and then enter a complex password. Of course, there is also one now.
DelGuest tool, maybe you can also use it to delete Guest account, but I haven't tried it
4. Enter Enter while running, open the Group Policy Editor, and select Computer Configuration - Windows Settings - Security Settings - Account Policy
- Account locking policy, set the account to "Three login invalid", "Lock time is 0 minutes", and "Reset lock count is set to 30 minutes".
5. Set "Don't show last username" to enable in the Security Settings-Local Policies-Security Options
6. In the security settings-local policy-user rights allocation, only Internet guest accounts will be retained and IIS will be started.
Process account. If you use it, you must keep your Aspnet account.
7. Create a User account and run the system. If you want to run the privileged command, use the Runas command.
3. Network service security management
1. Prohibit default sharing of C$, D$, and ADMIN$.
Open the registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, on the right
Create a new Dword value in the window: set the name to AutoShareServer value to 0
2. Release the binding between NetBios and TCP/IP protocol.
Right-click the Internet Neighbor - Properties - Right-click the local connection - Properties - Double-click Internet Protocol - Advanced - Wins - Disable NETBIOS on TCP/IP
3. Turn off unnecessary services. The following are the recommended options.
Computer Browser: Maintain network computer updates, disable
Distributed File System: LAN management shared files, no need to disable
Distributed linktracking client: used to update connection information in LAN, does not need to be disabled
Error reporting service: Prohibit sending error reports
Microsoft Serch: Provides fast word search, which can be disabled without need.
NTLMSecuritysupportprovide: Used by telnet service and Microsoft Serch, do not need to be disabled
PrintSpooler: Can be disabled if there is no printer
Remote Registry: Prohibit remote modification of the registry
Remote Desktop Help Session Manager: Remote assistance is prohibited
4. Open the corresponding audit strategy
Enter Enter while running, open the Group Policy Editor, and select Computer Configuration - Windows Settings - Security Settings - Audit Policy
When creating an audit project, it is important to note that if there are too many audited projects, the more events will be generated, and the more difficult it is to discover serious events.
Of course, if too little review will also affect your discovery of serious incidents. You need to choose between the two based on the situation.
The recommended items to be reviewed are:
Login event Successful failure
Account login event Successful failure
System events success, failure
Policy change Successful Failure
Object access failed
Directory service access failed
Privileged use failed
5. Other safety-related settings
1. Hide important files/directories
The registry can be modified to achieve complete hiddenness: "HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\Current-Version\Explorer\Advanced\Folder\Hi-dden\SHOWALL", mouse
Right-click "CheckedValue", select Modify, and change the value from 1 to 0
2. Start the Internet connection firewall that comes with the system and check the Web server in the Settings Services option.
3. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named SynAttackProtect, with a value of 2
4. Disable response to ICMP routing notification messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\Interfaces\interface
Create a new DWORD value named PerformRouterDiscovery The value is 0
5. Prevent ICMP redirect packet attacks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the EnableICMPRedirects value to 0
6. IGMP protocol is not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Create a new DWORD value, named IGMPLevel, the value is 0
7. Disable DCOM:
Enter in running. Enter and click "Component Services" under "Console Root Node". Open the "Computer" subfolder.
For local computers, right-click My Computer and select Properties. Select the Default Properties tab.
Clear the “Enable distributed COM on this computer” check box.
8. Rename the cmd command in DllCache in the System32 folder, and then rename the cmd command in the System32 folder.
9、
Note: I use Server2000 settings for items 3-6, and I have not tested whether it works for 2003. But one thing is certain that I used it for a while
No other side effects were found during the time.
6. Configure IIS service:
1. Do not use the default web site. If you use it, separate the IIS directory from the system disk.
2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).
3. Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp,
MSADC。
4. Delete unnecessary IIS extension mappings.
Right-click "Default Web Site → Properties → Home Directory → Configuration" to open the application window and remove unnecessary application mappings. Mainly
is .shtml, .sshtm, .stm
5. Change the path of IIS log
Right-click "Default Web Site → Properties - Website - Click Properties under Enable Logging
6. If you are using 2000, you can use iislockdown to protect IIS. IE6.0 version running in 2003 is not required.
7. Use UrlScan
UrlScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version
It is 2.5. If it is 2000 Server, you need to install the 1.0 or 2.0 version first. See the link on page not available for download address
If there are no special requirements, use the default configuration of UrlScan.
But if you run the program on the server and want to debug, you need to open %WINDIR%\System32\Inetsrv\URLscan
Files in the folder, and then add DEBUG predicates in the UserAllowVerbs section, note that this section is case sensitive.
If your page is .asp page you need to delete .asp related content in DenyExtensions.
If your web page uses non-ASCII code, you need to set the AllowHighBitCharacters value to 1 in the Option section
After making changes to the file, you need to restart the IIS service to take effect. Enter iisreset in the quick method.
If you have any problems after configuration, you can delete UrlScan by adding/removing programs.
8. Use the WIS (Web Injection Scanner) tool to perform SQL Injection vulnerability scans on the entire website.
See the link on page not available for download address
7. Configure the Sql server
1. System Administrators should not have more than two roles.
2. If it is on this machine, it is best to configure the authentication as Win login.
3. Do not use a Sa account, configure a super complex password for it.
4. Delete the following extended stored procedures
The format is:
use master
sp_dropextendedproc 'Extended stored procedure name'
xp_cmdshell: It is the best shortcut to enter the operating system, delete
Access the stored procedure of the registry, delete
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues
Xp_regread Xp_regremovemultistring Xp_regwrite
OLE automatic stored procedure, no need to delete
Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
5. Change the name so that xp_cmdshell cannot be restored
6. Hide SQL Server and change the default port 1433
Right-click the instance to select properties of TCP/IP protocol in General - Network configuration. Select Hide SQL Server instance.
And change the original default port 1433.
8. If you only do servers and do not perform other operations, use IPSec
1. Management Tools - Local Security Policy - Right-click IP Security Policy - Manage IP Filter Table and Filter Operations - Click under the Management IP Filter Table option.
Add—Set the name as Web filter—Click Add—Enter the web server in the description—Set the source address to any IP address—Set the destination address
Set as my IP address - Protocol type is set to Tcp - IP protocol port The first item is set to from any port, and the second item is to this port 80 - Click
Complete - Click OK.
2. Click under the Management IP Filter Table option
Add—The name is set to all inbound filters—Click Add—Enter all inbound filters in the description—Set the source address to any IP address—Set the destination address
Set as My IP address - Protocol type to any - Click Next - Complete - Click OK.
3. Under the Management Filter Operation Options, click Add—Next—Enter Block—Next—Select Block—Next—
Complete - Close the Management IP Filter Table and Filter Operations Window
4. Right-click on the IP security policy - create the IP security policy - next step - name input packet filter - next step - cancel the default activation
Response Principle-Next Step-Complete
5. In the new IP security policy properties window that opens, select Add—Next step—Not specifying tunnel—Next step—All network connections—
Next step - Select the newly created web filter in the IP filter list - Next step - Select the permission in the filter operation - Next step -
Complete - Select the newly created block filter in the IP filter list - Next step - Select the block in the filter operation - Next step -
Complete - OK
6. Right-click the newly created packet filter in the right window of the IP security policy, click Assign. There is no need to restart, and IPSec can take effect.
9. Suggestions
If you follow this article, it is recommended to test the server for every change. If there is any problem, you can undo the change immediately. And if changed
Only when there are many items, it is difficult to determine where the problem lies.
10. Run the server to record the current program and open port.
1. Grab or record the current server's process and save it to facilitate future comparison to see if there are unknown programs.
2. Scratch or record the currently open port and save it to facilitate future comparison to see if unknown ports have been opened.
Of course, if you can distinguish each process, this step can be omitted from the port.